This class is used througout the PCG Framework in all GET Strings.Code Generated from
phpCodeGenie (PCG) can automatically put the TextEncrypter between your requests.
For more information, check the phpCodeGenie webpage on Sourceforge -
http://phpcodegenie.sourceforge.net/
Extract taken from the PCG Framework OverView Manual
textEncrypter - Encrypting Data between scripts (requests)
Often times, you have to pass data from one script to another in your web application.
The means of passing data from one script to another in the same application would be either
though the SESSION, REQUEST or COOKIE. While the session can only be modified by your
application code, REQUEST and COOKIE can be modified by the user, if they know how it works.
e.g Lets say I have a script that shows the profile of a user when I pass the the userId to it
and I pass that userId by a GET string thru the URL
http://www.someapplication.com/viewUserProfile.php?userId=43254
As the userId is in the get String and visible to all users, malicious users, may try to
substitute that id for other id and be able to flood or get data they are not supposed to.
So one needs a way to prevent the users from changing that data, but at the same time
allow your application to pass it from script to script.
PCG uses the textEncrypyter utility class to achieve that. The textEncrypter encrypts the
data while transmitting it. Before sending data to another script, the first script encodes
it using the textEncrypter and the receiving script needs to decode it using the textEncrypter
class. The encryption uses a SALT to encrypt the data. The SALT is like a key. You can put
whatever secret word you want for it. On encryption and Decryption, the key need to be the same,
otherwise, the textEcrypter will stop the application.
The diagram above shows how the text Encrypter works. Lets say have a script that prints a link
to PHP SCRIPT 2 and appends ‘id=356’ to that link. To avoid users being able to change the id,
PCG encode the ‘356’ using the textEncrypter class, such that the resulting get String will be
something like ‘id= MjZ8eHl6’. If users try to change the value of that Id in the Get String, on
decoding that value, the textEncrypter will detect that the SALT is not the same and stop the
application.
Example Code
Php Script 1
<?
include_once(CLASS_TEXT_ENCRYPTER);
$thisTextEncrypter = new TextEncrypter();
$id = “356”;
$encryptedId = $thisTextEncrypter->encode($id);
?>
<a href=”phpScript2.php?id=<? echo $encryptedId; ?>”>Link to Script 2</a>
Php Script 2
<?
include_once(CLASS_TEXT_ENCRYPTER);
$thisTextEncrypter = new TextEncrypter();
$encryptedId = $_REQUEST[‘id’];
$id = $thisTextEncrypter->decode($id);
$userProfile = $userManager->getUserById($id);
?>